Social media apps that promise ephemeral communications or true anonymity frequently fail to live up to all meaningful expectations.
User locations are tracked without permission. "Disappearing" photos and messages are hacked in massive numbers. Users who thought they were communicating anonymously are discovered and linked to their real identities.
That's just the start of the laundry list of allegations against services including Snapchat and Whisper. If there is a lesson to be learned from the past few months, it's that nothing disappears forever, and people are often tracked by the apps they willingly use every day.
Privacy in the era of social media is a promise left unfulfilled. The events of the past couple of months make this abundantly clear. In almost every case, the companies place the onus of managing, maintaining and securing privacy entirely on users.
Last month's hack of more than 100 celebrities' personal iCloud accounts spotlights the inherent vulnerability of Web-based services, regardless of the company in charge. Apple accurately claimed that it wasn't hacked, but the personal accounts of some of its most high-profile users were overtaken.
Snapchat Hack Exposes More Than 260,000 Users
Snapchat is again in the privacy crosshairs barely a month after the iCloud debacle. Another anonymous hacker claims to have gained access to Snapsaved, a third-party app that lets Snapchat users save the pictures they receive via the service before they self-destruct.
Some estimates suggest more than 260,000 Snapchat users were compromised. Snapchat quickly distanced itself from the snafu by claiming it's not at fault if users share their login details with outside parties.
We can confirm that Snapchat’s servers were never breached and were not the source of these leaks.— Snapchat (@Snapchat) October 10, 2014
Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our ToU.— Snapchat (@Snapchat) October 10, 2014
The company later followed up with a blog post that outlined its opposition to third-party apps, but it did little to stop the bleeding or effectively shut down such apps. Instead, Snapchat blamed its users.
From the blog post:
"When you give your login credentials to a third-party application, you're allowing a developer, and possibly a criminal, to access your account information and send information on your behalf."
Snapchat did not respond to a CIO.com request for further comment.
Overall, the response is woefully lacking for a company that already settled charges with the FTC over the amount of data it collects and in relation to false promises about the disappearance of messages sent through its app. Snapchat owes its users a more deliberate mechanism to ensure privacy, especially because more than half of its users are under the age of 18.
Cloud-based leaks and hacks are mounting, and Snapchat should do more to slow the trend. The hacked Snapsaved app amassed almost 13GB of photos, including images from users who never used the app but unknowingly sent photos to others who had.
Users sometimes expect more privacy than Snapchat could ever realistically provide. While it wouldn't do the company much good to admit this fact, it could at least come clean about how it exaggerated the promise of privacy in the past. Telling users to stop using third-party apps just doesn't cut it.
Whisper Unwittingly Exposes Privacy Flaws
The dust had barely settled around Snapchat when things took a more damning turn for one of it competitors. Whisper, an app that promises user anonymity and promotes itself as a safe haven for open and intimate communications, was hit with serious accusations from The Guardian.
During meetings about a potential partnership, the newspaper discovered that Whisper was tracking the location of its users, monitoring the activity of users deemed potentially newsworthy and storing that data indefinitely.
Whisper's trove of data has a full history of every message posted using the app, including messages that were previously deleted, according to The Guardian. Users who opt out of geolocation services were reportedly still tracked via IP data, which can be used to determine location within 500 meters.
A war of words erupted, including a point-by-point rebuttal from The Guardian after one Whisper executive dismissed the reports, on Twitter, as "lousy with falsehoods" and a "pack of vicious lies."
First response: The Guardian’s piece is lousy with falsehoods, and we will be debunking them all. Much more to come.— Neetzan Zimmerman (@neetzan) October 16, 2014
Whisper Editor in Chief Neetzan Zimmerman responded first, and CEO Michael Heyward eventually stepped in a couple days later to address the claims in a blog post.
The split response highlighted a gap in the pair's response to some of The Guardian's most alarming claims. Zimmerman quickly dismissed a series of unattributed quotes as fabrication and "outright lies," while Heyward said the company was still investigating the matter.
Of course we’re investigating the Guardian’s unattributed quotes and I will take immediate action if we discover they’re true.— Michael Heyward (@michaelheywire) October 19, 2014
"Our top priority is to ensure people feel comfortable sharing their most intimate and personal thoughts," Heyward wrote, after mincing words over what specific user data is collected and the extent to which users can be identified based on the information.
Heyward says Whisper collects IP addresses and deletes them after seven days, collects the GPS location only of users who opt in, and does not collect any personally identifiable information, such as names, email addresses or phone numbers.
The Whisper CEO also says the company does not actively track users, but his comments suggest some employees (particularly those who spoke to The Guardian about tracking users) may be doing just that. An investigation into the matter is ongoing, and the company is withholding further comment until it learns more.
"Above all else, we always strive to do right by our users. We have zero tolerance for any employee that violates that trust," Heyward writes.
If there is any silver lining for Snapchat, Whisper and other services that fail to live up to users' privacy expectations it's that they're not alone. A recent survey conducted by HP found that on average companies are hit with one successful cyber attack or hack every four days.
The big difference for Snapchat and Whisper is that its users often share intimate messages and images. These services set a high bar high for user privacy and anonymity, and instead of vaulting over the bar they sneak under it and hope users won't notice their limbo.
This story, "Snapchat, Whisper promise privacy but fail (miserably) to deliver" was originally published by CIO.